Fujitsu CODA Fujitsu Chromatography On Demand Solution

Fujitsu Systems Europe takes the security of customer information very seriously. Here is how and where COD stores your information.

COD does not store customer data.

COD stores the following information about chromatogram data, during a limited duration (15 days):

{ “analysis_infos”: { “barcode”: “ed11447901b94e2567cad28f22a43a88”, “creation_date”: “25-09-2023”, “modification_date”: “11-08-2023”, “name”: “35152.D”, “path”: “/nas/shared/Data/MixGC_09-08/35152.D”, “type”: “sample_analysis” }, “measures”: [ { “channels”: { “1”: { “ampl”: [ 263.795013427734, 281.661651611328, 242.303253173828, … ], “ampl_max”: 963.73974609375, “ampl_min”: 91.7718505859375, “candidates”: null, “ce”: 0, “ev”: 10.0, “peak”: null, “q1”: 153.0, “q1_res”: null, “q3”: 110.0, “q3_res”: null, “raw_ampl”: [ 263.795013427734, 281.661651611328, 302.035736083984, … ], “seg_id”: null, “segment”: 1, “time_seg”: null }, ], “time_step”: 0.0066512012012012 }, .

No explicit personal data is collected from infrastructure and services resources. Collected information consists of chromatogram information.

COD stores information according to the region in which your environment is created.

The following information is stored 15 days in the host region:

• chromatogram data

Host regions include:

• EMEA: eu-central-1

Product and customer data security is of utmost importance at Fujitsu. COD follows security best practices throughout the release life cycle to make sure customer information and data is secured in the best possible way.

The COD production infrastructure is hosted in Microsoft Azure Cloud. Physical and environmental security-related controls for COD production servers, which include buildings as well as locks or keys used on doors, are managed by Microsoft Azure Cloud. As per Microsoft Azure Cloud: “Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data center floors.”

COD follows the best practices of the Shared Responsibility model described by Microsoft Azure Cloud.

COD follows a development lifecycle in line with Agile principles, thus allowing us to address any security-oriented software defects more rapidly, compared to longer release cycle development methodologies. Using continuous integration methodologies, we are able to rapidly respond to both functional and security changes. The change management procedures and policies define when and how changes occur and help to maintain the stability of the production environment. Any impactful changes are formally communicated, coordinated, properly reviewed, and approved prior to their release into the production environment.

Network access to resources in the COD environment is controlled by host-based firewalls. Each resource (such as a load balancer or virtual machine instance) has a host-based firewall that restricts inbound traffic to only the ports needed for that resource to perform its function.

COD uses various mechanisms including intrusion detection services to monitor the production environment for security anomalies.

COD team follows a formalized Risk Assessment process to provide a systematic, repeatable way to identify and assess the risks so that they can be appropriately managed through a Risk Treatment Plan.

The COD production environment is set up in a highly redundant infrastructure utilizing multiple availability zones for all services and components. Along with utilizing a highly available and redundant compute infrastructure, critical data is backed up at regular intervals and restores are periodically tested. Formal backup policies and procedures minimize the impact of interruptions of business activities and protects business processes against the effects of failures of information systems or disasters and ensures their timely and adequate resumption.

All customer access to COD is done via browser UI interactions over https. Authentication is accomplished via the 3rd party service, Auth0. Fujitsu has centralized on this as the authentication layer for all Cloud Data services.

COD follows industry best practices including “Least Privilege” and “Role-based access control” around logical access to the COD production environment. Access is controlled on a strict need basis and is only granted for select authorized personnel using multi-factor authentication mechanisms.

All customer data is encrypted in transit across public networks and encrypted at rest. COD utilizes encryption at various points in the system to protect customer data using technologies that includes Transport Layer Security (TLS) and the industry-standard AES-256 algorithm.

Email notifications are sent out at various intervals to inform the customer their subscription is expiring. Once the subscription has expired, the UI is restricted and a grace period begins for data collection. The customer is then notified via email. Trial subscriptions have a 14-day grace period and paid subscription accounts have a 28-day grace period. After the grace period has expired, the customer is notified via email that the account will be deleted in 2 days. A paid customer can also request directly to be off the service.

Expired tenants and all associated customer data are deleted by the COD Operations (SRE) team at the end of the grace period or upon confirmation of a customer’s request to terminate their account. In either case, the SRE team runs an API call to delete the account. The API call deletes the tenant instance and all customer data. Customer deletion is verified by calling the same API and verifying that the customer tenant status is “DELETED.”

COD is integrated with Fujitsu’s Product Security Incident Response Team (PSIRT) process to find, assess, and resolve known vulnerabilities. PSIRT intakes vulnerability information from multiple channels including customer reports, internal engineering, and widely recognized sources such as the CVE database.

If an issue is detected by the COD engineering team, the team will initiate the PSIRT process, assess, and potentially remediate the issue.

It is also possible that a COD customer or researcher may identify a security issue with the COD product and report the issue to Technical Support or directly to Fujitsu’s incident response team. In these cases, the COD team will initiate the PSIRT process, assess, and potentially remediate the issue.

COD follows industry best practices and performs regular vulnerability and penetration testing using internal and external security professionals and companies.

All COD personnel undergo security training, developed for individual roles, to make sure each employee is equipped to handle the specific security-oriented challenges of their roles.

COD performs independent third-party Audit and validations from external Licensed CPA firm of its security, processes, and services, including completion of the SOC 2 Audit.